Anatomy of a state-sponsored phishing attack: how the Syrian Electronic Army hacked The Onion

From the Boing Boing Shop

Popular Posts

Follow Us

As I blogged earlier this week, the Syrian Electronic Army hacked The Onion's Twitter account and used it to post a bunch of dumb messages attacking Israel, the US, and the UN. Now, the Onion's IT administrators have posted a detailed account of how Syrian hackers used a series of staged and careful phishing attacks to escalate from a single naive user's email credentials to the password for the Onion's social media accounts.

Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.

After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.

At this point the editorial staff began publishing articles inspired by the attack. The second article, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, angered the attacker who then began posting editorial emails on their Twitter account. Once we discovered this, we decided that we could not know for sure which accounts had been compromised and forced a password reset on every staff member’s Google Apps account.

I'm impressed by the cleverness of triggering a "password reset" message from the IT team, then sending out fake password-reset messages to users who aren't on the IT team to get them to click on yet another link. Most of the recommendations the IT team make are pretty bland ("educate your users"), but these two reccos are good:

report this ad

The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).

and

If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.

Social scientist/cybersecurity expert Susan Landau (previously) and Cathy “Weapons of Math Destruction” O’Neil take to Lawfare to explain why it would be a dangerous mistake for the FBI to use machine learning-based chatbots to flush out potential terrorists online.

If you’re one of the 60% of Pebble employees who didn’t get a job offer from Fitbit, the company’s new owner, you’re probably not having a great Christmas season — but that trepedation is shared by 100% of Pebble customers, who’ve just learned (via the fine print on an update on the Pebble Kickstarter page) […]

The Black Friday Mac Bundle 2.0 is one of the Boing Boing Store’s best-selling Mac bundles yet, and it’s about to come to an end. If you don’t get your copy now, here’s what you’ll be missing:This bundle comes packing 9 top-rated Mac apps in one package, at the hugely discounted price of just $23.99. […]

The Boing Boing Store’s Gift Guide is full of ideas for pretty much anyone in your life like hipster ice cub trays, Xbox controllers, Halo Boards, and even diamond necklaces. As always, all products in the Boing Boing Store come at great discounts, too. Shop by price bucket starting at under $20. Under $20:Bloxx Jumbo Ice Trays […]

Unlike traditional lighters, the SaberLight features an electronic plasma beam that’s both rechargeable and butane-free. This sleek lighter is even approved by TSA, so you’ll never be stuck buying lighters you’ll just have to throw away partially used. For some people, like me, this is a pretty big game-changer. The SaberLight’s beam is actually both hotter and cleaner […]

Vice has an interview with an alleged member of the SEA about the hack (google “Speaking with an Alleged Member of the SEA about Hacking The Onion’s Twitter Account”).

Also, does anyone know the source of the “state-sponsored” in the headline? The SEA claims they’re not affiliated with the Syrian government so I’m wondering what bb is using as the source for that claim.

In June 2011, just a few short months after protests first erupted in Syria, the country’s president, Bashar Al-Assad, made a speech in which he thanked a group called the “Syrian Electronic Army” (SEA). Calling it a “virtual army in cyberspace,” Al-Assad praised the group for its effort in trying to shape the Syrian narrative.

If the unpopular president is thanking your group publicly you can guarantee it’s either already or soon-to-become state sponsored.

I still call shenanigans. Hacking a humor site is a bit like assaulting a masochist. All that scheming and no goal? I suppose this could have been a “dress rehearsal” for some bigger, more significant hack, but so far the net result here is that The Onion has drawn more attention to itself.

“Look, when the Syrian Electronic Army hacks into a website, we want users to immediately see our message that Zionist-controlled interests are distorting the facts that come out of Syria, not a bunch of huge, constantly looping ads for God knows what that assault the senses and literally leave you nauseated. And when we looked at the layout of The Onion’s homepage, we immediately realized the huge mistake we’d made.”

Oh and fuck you SEA – come get me bro. Show your 1337 skills. Your dear leader al-Asshole is soon going to be a corpse.